From: Marcel Poul Date: Thu, 15 Dec 2011 20:09:07 +0000 (+0000) Subject: use standard directories and files for certificates and keys X-Git-Tag: emi-canl-c_R_1_0_0_0~121 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=1c7cbe77e085b541f18832491ae2bf9bc386615e;p=jra1mw.git use standard directories and files for certificates and keys --- diff --git a/emi.canl.canl-c/src/canl_cert.c b/emi.canl.canl-c/src/canl_cert.c index 5c011c1..6069eb2 100644 --- a/emi.canl.canl-c/src/canl_cert.c +++ b/emi.canl.canl-c/src/canl_cert.c @@ -59,6 +59,15 @@ end: int do_set_ctx_own_cert_file(glb_ctx *cc, char *cert, char *key) { int err = 0; + + if (!cc->cert_key){ + cc->cert_key = (cert_key_store *) calloc(1, sizeof(*(cc->cert_key))); + if (!cc->cert_key) { + return set_error(cc, ENOMEM, posix_error, "not enought memory" + " for the certificate storage"); + } + } + /* otherwise the private key is in cert file*/ if (key) { err = set_key_file(cc, key); @@ -80,23 +89,13 @@ static int set_key_file(glb_ctx *cc, char *key) int err = 0; FILE * key_file = NULL; - if (!cc->cert_key){ - cc->cert_key = (cert_key_store *) calloc(1, sizeof(*(cc->cert_key))); - if (!cc->cert_key) { - err = ENOMEM; - set_error(cc, err, posix_error, "not enought memory for the" - " certificate storage"); - return ENOMEM; - } - } - if (cc->cert_key->key) { EVP_PKEY_free(cc->cert_key->key); cc->cert_key->key = NULL; } key_file = fopen(key, "rb"); if (!key_file) { - err = errno; + err = errno; set_error(cc, err, posix_error, "cannot open file with key"); return err; } @@ -131,15 +130,6 @@ static int set_cert_file(glb_ctx *cc, char *cert) int err = 0; FILE * cert_file = NULL; - if (!cc->cert_key){ - cc->cert_key = (cert_key_store *) calloc(1, sizeof(*(cc->cert_key))); - if (!cc->cert_key) { - err = ENOMEM; - set_error(cc, err, posix_error, "not enought memory for the" - " certificate storage"); - return ENOMEM; - } - } if (cc->cert_key->cert) { X509_free(cc->cert_key->cert); diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c index eba8d3a..ad72d9e 100644 --- a/emi.canl.canl-c/src/canl_ssl.c +++ b/emi.canl.canl-c/src/canl_ssl.c @@ -14,6 +14,9 @@ int ssl_server_init(glb_ctx *cc) int err = 0; unsigned long ssl_err = 0; CANL_ERROR_ORIGIN e_orig = unknown_error; + char *ca_cert_fn, *user_cert_fn, *user_key_fn, *user_proxy_fn; + char *ca_cert_dirn = NULL; + ca_cert_fn = user_cert_fn = user_key_fn = user_proxy_fn = NULL; if (!cc) { return EINVAL; @@ -30,8 +33,27 @@ int ssl_server_init(glb_ctx *cc) goto end; } - //TODO test hardcoded - SSL_CTX_load_verify_locations(cc->ssl_ctx, "~/terena_ca_file.pem", NULL); + err = proxy_get_filenames(0, &ca_cert_fn, &ca_cert_dirn, &user_proxy_fn, + &user_cert_fn, &user_key_fn); + if (!err && (!cc->cert_key || !cc->cert_key->cert || !cc->cert_key->key)) { + err = do_set_ctx_own_cert_file(cc, user_cert_fn, user_key_fn); + if (err) + goto end; + } + + free(user_cert_fn); + user_cert_fn = NULL; + free(user_key_fn); + user_key_fn = NULL; + //TODO where to use proxy on server side + free(user_proxy_fn); + user_proxy_fn = NULL; + + SSL_CTX_load_verify_locations(cc->ssl_ctx, ca_cert_fn, ca_cert_dirn); + free(ca_cert_fn); + ca_cert_fn = NULL; + free(ca_cert_dirn); + ca_cert_dirn = NULL; //err = SSL_CTX_set_cipher_list(cc->ssl_ctx, "ALL:!LOW:!EXP:!MD5:!MD2"); err = SSL_CTX_set_cipher_list(cc->ssl_ctx, "ALL"); @@ -87,11 +109,11 @@ int ssl_server_init(glb_ctx *cc) end: if (ssl_err) { - set_error(cc, ssl_err, e_orig, "cannot initialize SSL context"); + set_error(cc, ssl_err, e_orig, "Cannot initialize SSL context"); return 1; } else if (err) { - set_error(cc, ssl_err, e_orig, "cannot initialize SSL context"); + set_error(cc, err, e_orig, "Cannot initialize SSL context"); return 1; } return 0;